Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - Log


  • Please log in to reply
3 replies to this topic

#1 Lemming

Lemming

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 15 June 2005 - 11:16 PM

Here is the HJT Log, enjoy :thumbsup:
_________________________

Logfile of HijackThis v1.99.1
Scan saved at 10:57:03 p.m., on 15/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows.exe
C:\Archivos de programa\Apoint\Apoint.exe
C:\Archivos de programa\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\qttask.exe
C:\Archivos de programa\Sony\Jog Dial Utility\JogServ2.exe
C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe
C:\msdos.exe
C:\Archivos de programa\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\msnsched2.exe
C:\dfgdfgd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\PowerPanel\Program\PcfMgr.exe
C:\Archivos de programa\Apoint\Apntex.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jorge Villatoro\Configuración local\Temp\Directorio temporal 2 para HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://my.search/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acc.count-all.com/-/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?bzbjr (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F1 - win.ini: run=info32.exe
F3 - REG:win.ini: load=C:\\windows.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcinit.exe
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Archivos de programa\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {01EF4F43-D95F-4167-B311-5F87A890305B} - C:\WINDOWS\System32\kjnkg.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: FFAF - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\JORGEV~1\CONFIG~1\Temp\kbdapmc.dll
O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Archivos de programa\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Archivos de programa\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [MsSystem] c:\msdos.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [msnsched2] msnsched2.exe
O4 - HKLM\..\Run: [Services] C:\dfgdfgd.exe
O4 - HKLM\..\RunServices: [msnsched2] msnsched2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O18 - Filter: text/html - {7E1C3F3D-08DE-41EB-BA09-A68D91FCC90D} - C:\WINDOWS\System32\kjnkg.dll
O18 - Filter: text/plain - {7E1C3F3D-08DE-41EB-BA09-A68D91FCC90D} - C:\WINDOWS\System32\kjnkg.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

__________

OMG

O2 - BHO: FFAF - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\JORGEV~1\CONFIG~1\Temp\kbdapmc.dll

O4 - HKLM\..\Run: [MsSystem] c:\msdos.exe

O4 - HKLM\..\Run: [msnsched2] msnsched2.exe

O4 - HKLM\..\Run: [services] C:\dfgdfgd.exe

O4 - HKLM\..\RunServices: [msnsched2] msnsched2.exe

+

All the R1's
Posted Image

Freeware: Ad-Aware, Spybot S&D, Avast Antivirus, Kerio Firewall, Cleanup, SpywareBlaster, SpywareGuard

Jesus is the Answer for the World today!
Prayer Changes!

BC AdBot (Login to Remove)

 


#2 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 16 June 2005 - 09:53 PM

Hello Lemming and Welcome!
Sorry you are having malware trouble.
Welcome to BC as an HJT trainee. :thumbsup:

PLEASE PRINT OUT THESE INSTRUCTIONS BEFORE PROCEEDING.

First, we need to move HijackThis from:
C:\Documents and Settings\Jorge Villatoro\Configuración local\Temp\Directorio temporal 2 para HijackThis.zip\HijackThis.exe
Please do the following:
Move hijackthis to the root of your C:\drive. Double-click on My Computer; double-click on your hard drive, (usually the C:\drive) right-click on a blank area, choose New, choose Folder, name the folder hijackthis. Now, place Hijackthis.exe in this folder.

STEP 1:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here.

STEP 2:
Download the SpSeHjfix tool:1.) Download SpSeHjfix here and save it to the desktop.
2.) Now right click on a blank part of the desktop and select New, then Folder. Name this new folder SpSeHjfix.
3.) Now place SpSeHjfix112.exe in the new folder and save it at the root of the C:\drive the same location as HijackThis.
Don't run it yet, we will use it later.

STEP 3:
Download the eScan Antivirus Toolkit here.
Save it to the desktop. This program is 10MB in size.
Don't run it yet, we will use it later.

STEP 4:
Download and install the latest version of Ad-Aware SE here
NOTE: If you are still using Ad-Aware 6, go to Add/Remove Programs in the Control Panel and uninstall it now before installing Ad-Aware SE.
Please configure the program by following these instructions here.
Before scanning click on "Check for updates now" to make sure you have the latest reference file.
Don't run it yet, we will use it later.

STEP 5:
Copy the contents of the Quote Box to Notepad. Name the file as O18fix.reg. Change the Save as Type to All Files, Save this file on the desktop.
Please DO NOT include the word QUOTE when saving the file.

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain]

STEP 6:
Please reboot into Safe Mode.
Get into Safe Mode using the F8 Key on your keyboard:1.) Locate the F8 key on your keyboard and then reboot your PC. (Start, Shutdown, Restart)
2.) As soon as the monitor screen goes black, immediately start tapping the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3.) Select the option for Safe Mode using the up down arrow keys.
4.) Then press Enter on your keyboard to boot into Safe Mode.
5.) Perform all the cleaning tasks here and when you are done, reboot PC back into normal mode (Windows).
STEP 7:
From Safe Mode, find the SpSeHjfix folder at the root of the C:\drive, double-click on SpSeHjfix112.exe and click on Start Disinfection. When it has finished its scan, it will reboot your PC to finish the cleaning process and delete the malware files. During this reboot process, tap the F8 again to bring back the menu and select Safe Mode to finish the remaining removal steps.

STEP 8:
From Safe Mode, please close ALL open windows AND browsers, open HijackThis and put checks next to all the following, then click "Fix Checked":
NOTE: Some entries might already be deleted.

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://my.search/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acc.count-all.com/-/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?bzbjr (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F1 - win.ini: run=info32.exe
F3 - REG:win.ini: load=C:\\windows.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcinit.exe
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Archivos de programa\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {01EF4F43-D95F-4167-B311-5F87A890305B} - C:\WINDOWS\System32\kjnkg.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: FFAF - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\JORGEV~1\CONFIG~1\Temp\kbdapmc.dll
O4 - HKLM\..\Run: [MsSystem] c:\msdos.exe
O4 - HKLM\..\Run: [msnsched2] msnsched2.exe
O4 - HKLM\..\Run: [Services] C:\dfgdfgd.exe
O4 - HKLM\..\RunServices: [msnsched2] msnsched2.exe
O18 - Filter: text/html - {7E1C3F3D-08DE-41EB-BA09-A68D91FCC90D} - C:\WINDOWS\System32\kjnkg.dll
O18 - Filter: text/plain - {7E1C3F3D-08DE-41EB-BA09-A68D91FCC90D} - C:\WINDOWS\System32\kjnkg.dll


STEP 9:
From Safe Mode, please delete the following files and/or folders:
Go to Start, Search, For Files or Folders, and type in each file or folder name.
Scroll down and find "More Advanced Options". Make sure "Search System Folders" and "Search hidden files and folders" and "Search system subfolders" are all checked.

info32.exe <----Delete this file. (Don't delete msinfo32.exe)
msnsched2.exe <----Delete this file.
C:\dfgdfgd.exe <----Delete this file.
C:\windows.exe <----Delete this file.
C:\dfgdfgd.exe <----Delete this file.
C:\msdos.exe <----Delete this file.
C:\WINDOWS\System32\svcinit.exe <----Delete this file.
C:\WINDOWS\System32\kjnkg.dll <----Delete this file.
C:\Archivos de programa\MyWebSearch <----Delete this file.

STEP 10:
From Safe Mode, double-click on the O18fix.reg file, and when it prompts to merge say Yes. This will clear registry entries left behind by the malware infections.

STEP 11:
From Safe Mode, go to Start, Run, type in %temp% click OK.
Click Edit, Select All, click File, Delete, now click Yes to send items to Recycle Bin. Now empty Recycle Bin.

STEP 12:
From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:1.) Double-click on the mwav.exe file saved to the desktop. A WinZip Self-Extractor will appear.
2.) Click Unzip, by default it will extract all the program files to new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky).
3.) A dialog box stating "175 file(s) unzipped successfully" will appear, click OK. After clicking ok, the eScan AntiVirus Toolkit Utility interface will appear.
4.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are all checked.
5.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
6.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
7.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. eScan will delete any viruses or trojans it finds.
8.) When the scan has finished, the top window will read Scan Completed. To close the interface, click OK, click Exit, then click Exit again.
STEP 13:
From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier.
Make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds.
Be sure to run the program again a second time.

STEP 14:
Now reboot the PC back into Normal Mode (Windows), open HijackThis, click "Do a system scan and save a logfile", copy and paste the contents of the new logfile here for review.

#3 Lemming

Lemming
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 17 June 2005 - 07:07 PM

Close thread :thumbsup:

That PC will get formatted soon.

Thanks a lot!
Posted Image

Freeware: Ad-Aware, Spybot S&D, Avast Antivirus, Kerio Firewall, Cleanup, SpywareBlaster, SpywareGuard

Jesus is the Answer for the World today!
Prayer Changes!

#4 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 17 June 2005 - 08:51 PM

Ok, will do. :thumbsup:

(Since you're in training, you should try to clean it up for practice.) :flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users